EUVD-2026-17652
GHSA-wwpw-hrx8-79r5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
4Tags
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteSystemdPrivate.php contains a PHP operator precedence bug in its CLI-only access guard. The script is intended to run exclusively from the command line, but the guard condition !php_sapi_name() === 'cli' never evaluates to true due to how PHP resolves operator precedence. The ! (logical NOT) operator binds more tightly than === (strict comparison), causing the expression to always evaluate to false, which means the die() statement never executes. As a result, the script is accessible via HTTP without authentication and will delete files from the server's temp directory while also disclosing the temp directory contents in its response. At time of publication, there are no publicly available patches.
Analysis
Unauthenticated remote attackers can bypass CLI-only access controls in WWBN AVideo versions 26.0 and prior via a PHP operator precedence bug in install/deleteSystemdPrivate.php, allowing HTTP access to delete server temp directory files and disclose their contents without authentication. The vulnerability stems from a logic error where !php_sapi_name() === 'cli' evaluates incorrectly due to operator binding precedence, causing the access guard to fail entirely. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today